b'OFFICE OF INSPECTOR GENERAL \n\n\nAUDIT OF THE COST AND\nSECURITY POLICIES AND\nPROCEDURES FOR USAID\'S\nMOBILE DEVICES\n\n\n\n\nAUDIT REPORT NO. A-000-13-005-P\nSeptember 17, 2013\n\nWASHINGTON, D.C.\n\x0cThis is a summary of our report on the "Audit of the Cost and Security Policies and Procedures\nfor USAID\'s Mobile Devices."\n\nThe National Institute of Standards and Technology (NIST) defined mobile devices as portable\ncomputing and communications devices with information storage capability. Small and relatively\ninexpensive, these devices can be used for many functions, including sending and receiving\nelectronic mail, storing documents, delivering presentations, and accessing data remotely.\n\nUSAID\'s Office of the Chief Information Officer is responsible for administering the Agency\'s\nmobile devices. This includes establishing policies and procedures for the issuance, use,\nadministration, and security of the devices. As of September 2012, the Chief Information\nOfficer\'s inventory included:\n\n    \xe2\x80\xa2\t   1,456 BlackBerry mobile devices\n    \xe2\x80\xa2\t   53iPads\n    \xe2\x80\xa2\t   167iPhones\n    \xe2\x80\xa2\t   36 MiFi devices, which provide mobile hot spots for users to access the Internet\n\nNIST reported that while handheld devices can enhance productivity, they also pose new risks\nto an organization\'s security. For example, because of their small size ~nd use outside the\noffice, the devices can be misplaced or stolen, which might allow an unauthorized person to\ngain access to the information they store or access remotely. In addition, malware, which can\ninitiate a wide range of attacks and spread to other devices, could be downloaded to the\ndevices.\n\nThe Office of Inspector General\'s (OIG\'s) Information Technology Audits Division conducted this\naudit to determine whether USAID (1) incurred reasonable costs 1 for its mobile devices and\n(2) developed policies and procedures for securing its mobile devices based on an acceptable\nlevel of risk to the Agency.\n\nFor the first objective, USAID did not incur reasonable costs. While the Agency obtained the\nbest value based on competitive procedures as required by Federal Acquisition Regulation\n8.405-3, "Blanket purchase agreements," it did not:\n\n\xe2\x80\xa2 \t Review and accept costs associated with excessive charges. For September through\n    November 2012, an average of 127 users incurred excessive charges totaling more than\n    $118,000. OIG judgmentally selected 12 of those users who incurred $48,000 more than\n    their base rate plans. However, USAID could not provide evidence that anyone on staff\n    reviewed and accepted those charges.\n\n\xe2\x80\xa2 \t Formalize the review of unused devices. From September through November 2012, USAID\n    incurred more than $64,000 in expenses for more than 300 mobile devices that were not\n    used for at least 1 month during that period. This represented 11 percent of the total monthly\n    invoices. Further, the Agency incurred more than $48,000 for 267 devices that were not\n    used during the entire 3-month period.\n\n\n1 For the purposes of this audit, reasonable costs are defined as costs that (1) provide the best value to\nthe government in the same or similar circumstances, and (2) have been reviewed and accepted by a\nknowledgeable individual.\n\n\n\n                                                                                                        1\n\x0cFor the second objective, the audit found that USAID developed numerous policies and\nprocedures for securing its mobile devices. However, they could be improved.\n\nIn addition, the audit found matters of concern, including the following.\n\n\xe2\x80\xa2 \t The Agency did not have a complete mobile device inventory. The Chief Information Officer\n    did not implement formal, written procedures on how the inventory should be maintained.\n\n\xe2\x80\xa2 \t The Agency did not manage mobile device user agreements properly. A third of the forms\n    were either incomplete, missing, or were approved by the person who had the device.\n\n\xe2\x80\xa2 \t Bureaus and offices did not fully reimburse the Chief Information Officer for mobile devices.\n    As of March 2013, they owed more than $62,000.\n\nThe report contains 17 recommendations to help USAID strengthen controls over the cost and\nsecurity policies and procedures for its mobile devices. It also includes nine recommendations\nto address matters of concern. In its comments on the draft report, USAID agreed to take\nactions on all 26 recommendations. Based on our evaluation of the comments, we acknowledge\nthat USAID made a management decision on all 26 recommendations and that it had taken final\naction on one of them.\n\n\n\n\n                                                                                               2\n\x0cu.s. Agency for International Development\n       Office of Inspector General\n      1300 Pennsylvania Avenue, NW \n\n          Washington, DC 20523 \n\n            Tel: 202-712-1150 \n\n            Fax: 202-216-3047 \n\n           http://oig.usaid.gov\n\x0c'